Posted by Stefan Kanthak on Aug 12

Hi @ll,

several of Microsoft’s Sysinternals utilities extract executables
to %TEMP% and run them from there; the extracted executables are
vulnerable to DLL hijacking, allowing arbitrary code execution in
every user account and escalation of privilege in “protected
administrator” accounts [*].

* CoreInfo.exe:
extracts on x64 an embedded CoreInfo64.exe to %TEMP% which loads
%TEMP%VERSION.DLL (on Windows Vista and newer)…